You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

981 lines
36 KiB

  1. tomcat9 (9.0.40-1+devuan1) unstable; urgency=medium
  2. * Merge debian version 9.0.40-1
  3. * Remove all CVE patches Changes already included in upstream version
  4. * Fix gbp.conf
  5. * Manually synchronize patches
  6. -- Andreas Messer <andi@bastelmap.de> Sun, 06 Dec 2020 18:50:17 +0100
  7. tomcat9 (9.0.40-1) unstable; urgency=medium
  8. [ Emmanuel Bourg ]
  9. * New upstream release
  10. - Refreshed the patches
  11. * Changed the home directory of the tomcat user to /var/lib/tomcat
  12. (Closes: #926338)
  13. [ Vincent McIntyre ]
  14. * Automatically export the JAVA_HOME environment variable when the value
  15. is defined in /etc/defaults/tomcat9 (Closes: #966338)
  16. -- Emmanuel Bourg <ebourg@apache.org> Tue, 24 Nov 2020 08:21:29 +0100
  17. tomcat9 (9.0.39-1) unstable; urgency=medium
  18. * New upstream release
  19. - Refreshed the patches
  20. * tomcat9-user now depends on netcat-openbsd instead of netcat
  21. (Closes: #966158)
  22. -- Emmanuel Bourg <ebourg@apache.org> Mon, 12 Oct 2020 17:16:57 +0200
  23. tomcat9 (9.0.38-1) unstable; urgency=medium
  24. * New upstream release
  25. - Refreshed the patches
  26. -- Emmanuel Bourg <ebourg@apache.org> Wed, 16 Sep 2020 16:04:03 +0200
  27. tomcat9 (9.0.37-3) unstable; urgency=medium
  28. * control: Bump build-dep on bnd, drop bnd compat and re-export patches.
  29. (Closes: #964433)
  30. -- Timo Aaltonen <tjaalton@debian.org> Thu, 06 Aug 2020 18:59:11 +0300
  31. tomcat9 (9.0.37-2) unstable; urgency=medium
  32. * d/p/0029-fix-regression-in-bz64540.patch: Re-export util.net.jsse
  33. and util.modeler.modules. (Closes: #964433)
  34. -- Timo Aaltonen <tjaalton@debian.org> Tue, 28 Jul 2020 14:09:13 +0300
  35. tomcat9 (9.0.37-1+devuan1) unstable; urgency=medium
  36. * Merge debian version 9.0.37-1
  37. -- Andreas Messer <andi@bastelmap.de> Wed, 22 Jul 2020 18:41:31 +0200
  38. tomcat9 (9.0.37-1) unstable; urgency=medium
  39. * New upstream release
  40. - Refreshed the patches
  41. - Fixed the compatibility with the version of bnd in Debian
  42. * Restored execute permission on /var/log/tomcat9 to the adm group
  43. -- Emmanuel Bourg <ebourg@apache.org> Mon, 06 Jul 2020 22:39:32 +0200
  44. tomcat9 (9.0.36-1+devuan1) unstable; urgency=medium
  45. * Merge debian version 9.0.36-1
  46. * Adjust Vcs info in debian/control
  47. -- Andreas Messer <andi@bastelmap.de> Thu, 25 Jun 2020 19:46:46 +0200
  48. tomcat9 (9.0.36-1) unstable; urgency=medium
  49. * New upstream release
  50. - Refreshed the patches
  51. * Grant write access on /var/log/tomcat9 to the adm group (LP: #1861881)
  52. -- Emmanuel Bourg <ebourg@apache.org> Tue, 23 Jun 2020 11:47:47 +0200
  53. tomcat9 (9.0.35-1) unstable; urgency=medium
  54. * New upstream release
  55. - Fixes CVE-2020-9484: Remote Code Execution via session persistence (Closes: #961209)
  56. - Refreshed the patches
  57. -- Emmanuel Bourg <ebourg@apache.org> Thu, 21 May 2020 15:50:03 +0200
  58. tomcat9 (9.0.34-1+devuan1) unstable; urgency=medium
  59. * Merge debian version 9.0.34-1
  60. -- Andreas Messer <andi@bastelmap.de> Mon, 04 May 2020 21:01:59 +0200
  61. tomcat9 (9.0.34-1) unstable; urgency=medium
  62. * New upstream release
  63. - Refreshed the patches
  64. * Depend on libeclipse-jdt-core-java (>= 3.18.0)
  65. * Switch to debhelper level 12
  66. -- Emmanuel Bourg <ebourg@apache.org> Mon, 27 Apr 2020 00:36:59 +0200
  67. tomcat9 (9.0.31-1~deb10u2+devuan1) beowulf; urgency=medium
  68. * Merge debian version 9.0.31-1~deb10u2
  69. -- Andreas Messer <andi@bastelmap.de> Thu, 19 Nov 2020 21:15:55 +0100
  70. tomcat9 (9.0.31-1~deb10u2) buster-security; urgency=high
  71. * Team upload.
  72. [ Emmanuel Bourg ]
  73. * Fixed CVE-2020-13935: WebSocket Denial of Service. The payload length
  74. in a WebSocket frame was not correctly validated. Invalid payload lengths
  75. could trigger an infinite loop. Multiple requests with invalid payload
  76. lengths could lead to a denial of service.
  77. * Fixed CVE-2020-13934: HTTP/2 Denial of Service. An h2c direct connection
  78. did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a
  79. sufficient number of such requests were made, an OutOfMemoryException
  80. could occur leading to a denial of service.
  81. [ Markus Koschany ]
  82. * Fix CVE-2020-9484:
  83. When using Apache Tomcat an attacker is able to control the contents and
  84. name of a file on the server; and b) the server is configured to use the
  85. PersistenceManager with a FileStore; and c) the PersistenceManager is
  86. configured with sessionAttributeValueClassNameFilter="null" (the default
  87. unless a SecurityManager is used) or a sufficiently lax filter to allow the
  88. attacker provided object to be deserialized; and d) the attacker knows the
  89. relative file path from the storage location used by FileStore to the file
  90. the attacker has control over; then, using a specifically crafted request,
  91. the attacker will be able to trigger remote code execution via
  92. deserialization of the file under their control. Note that all of
  93. conditions a) to d) must be true for the attack to succeed.
  94. * Fix CVE-2020-11996:
  95. A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
  96. trigger high CPU usage for several seconds. If a sufficient number of such
  97. requests were made on concurrent HTTP/2 connections, the server could
  98. become unresponsive.
  99. -- Markus Koschany <apo@debian.org> Wed, 15 Jul 2020 13:43:33 +0200
  100. tomcat9 (9.0.31-1~deb10u1) buster-security; urgency=high
  101. * Team upload.
  102. * Backport 9.0.31-1 to Buster to fix CVE-2020-1938, CVE-2020-1935,
  103. CVE-2019-17569, CVE-2019-17563, CVE-2019-12418 and CVE-2019-10072.
  104. The fix for CVE-2020-1938 may require configuration changes when Tomcat is
  105. used with the AJP protocol, e.g. in combination with libapache-mod-jk. For
  106. instance the attribute secretRequired is set to true by default now. Server
  107. admins should carefully investigate the impact of the changes before
  108. upgrading.
  109. See also https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
  110. -- Markus Koschany <apo@debian.org> Sat, 25 Apr 2020 14:24:56 +0200
  111. tomcat9 (9.0.31-1+devuan1) unstable; urgency=medium
  112. * Merge debian version 9.0.31-1
  113. * Promote myself as maintainer
  114. -- Andreas Messer <andi@bastelmap.de> Sun, 03 May 2020 18:54:57 +0200
  115. tomcat9 (9.0.31-1) unstable; urgency=medium
  116. * New upstream release
  117. - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
  118. - Fixes CVE-2019-12418: Local Privilege Escalation
  119. - Fixes CVE-2019-17563: Session fixation attack
  120. - Fixes CVE-2019-17569: HTTP Request Smuggling
  121. - Fixes CVE-2020-1935: HTTP Request Smuggling
  122. - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
  123. - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
  124. - Refreshed the patches
  125. - Fixed the compilation with Java 11
  126. * Moved the RequiresMountsFor directive in the service file
  127. to the Unit section (Closes: #942316)
  128. * Tightened the dependency on systemd (Closes: #931997)
  129. * Standards-Version updated to 4.5.0
  130. -- Emmanuel Bourg <ebourg@apache.org> Mon, 24 Feb 2020 23:37:00 +0100
  131. tomcat9 (9.0.27-1) unstable; urgency=medium
  132. * New upstream release
  133. - Refreshed the patches
  134. * Standards-Version updated to 4.4.1
  135. -- Emmanuel Bourg <ebourg@apache.org> Mon, 14 Oct 2019 11:31:50 +0200
  136. tomcat9 (9.0.24-1) unstable; urgency=medium
  137. * New upstream release
  138. - Refreshed the patches
  139. -- Emmanuel Bourg <ebourg@apache.org> Thu, 22 Aug 2019 13:55:14 +0200
  140. tomcat9 (9.0.22-1) unstable; urgency=medium
  141. * New upstream release
  142. - Refreshed the patches
  143. * Track and download the new releases from GitHub
  144. * Standards-Version updated to 4.4.0
  145. -- Emmanuel Bourg <ebourg@apache.org> Fri, 12 Jul 2019 15:01:28 +0200
  146. tomcat9 (9.0.16-5+devuan2) unstable; urgency=medium
  147. * Prepare Vcs Urls for migration
  148. -- Andreas Messer <andi@bastelmap.de> Thu, 16 Jan 2020 21:14:58 +0100
  149. tomcat9 (9.0.16-5+devuan1) unstable; urgency=medium
  150. * Devuanize packet
  151. * Require Java 10 compiler as a minimum
  152. * Remove systemd logger
  153. -- Andreas Messer <andi@bastelmap.de> Tue, 14 Jan 2020 20:35:17 +0100
  154. tomcat9 (9.0.16-5) experimental; urgency=low
  155. * Team upload.
  156. * Upload to experimental to get wider testing and availability
  157. * debian/logging.properties: Add commented-out non-systemd configuration
  158. * Make tomcat9 installable without systemd:
  159. - Readd logic to create the system user via adduser
  160. - Add sysvinit script, for init independence (Closes: #925473)
  161. * debian/README.Debian: Document non-systemd risks
  162. * Do not read /etc/default/tomcat9 twice
  163. -- Thorsten Glaser <tg@mirbsd.de> Fri, 21 Jun 2019 18:38:08 +0200
  164. tomcat9 (9.0.16-4) unstable; urgency=medium
  165. * Team upload.
  166. [ Emmanuel Bourg ]
  167. * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
  168. without escaping and is, therefore, vulnerable to XSS. SSI is disabled
  169. by default (Closes: #929895)
  170. [ Thorsten Glaser ]
  171. * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
  172. a suitable GC automatically anyway (Closes: #925928)
  173. * Correct the ownership and permissions on the log directory:
  174. group adm and setgid (Closes: #925929)
  175. * Make the startup script honour the (renamed) $SECURITY_MANAGER
  176. * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
  177. not executable as this is only ever sourced (makes no sense otherwise)
  178. [ Christian Hänsel ]
  179. * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
  180. -- Emmanuel Bourg <ebourg@apache.org> Thu, 13 Jun 2019 23:26:12 +0200
  181. tomcat9 (9.0.16-3) unstable; urgency=medium
  182. * Removed read/write access to /var/lib/solr (Closes: #923299)
  183. * Removed the broken catalina-ws.jar and catalina-jmx-remote.jar
  184. symlinks in /usr/share/tomcat9/lib/
  185. -- Emmanuel Bourg <ebourg@apache.org> Tue, 26 Feb 2019 09:31:13 +0100
  186. tomcat9 (9.0.16-2) unstable; urgency=medium
  187. * Team upload.
  188. * tomcat9.service: Permit read and write access to /var/lib/solr too.
  189. (Closes: #919638)
  190. -- Markus Koschany <apo@debian.org> Mon, 18 Feb 2019 20:58:51 +0100
  191. tomcat9 (9.0.16-1) unstable; urgency=medium
  192. * New upstream release
  193. - Refreshed the patches
  194. - Install the new Chinese, Czech, German, Korean and Portuguese translations
  195. - No longer build the extra WS and JMX jars
  196. * Standards-Version updated to 4.3.0
  197. -- Emmanuel Bourg <ebourg@apache.org> Fri, 08 Feb 2019 08:26:48 +0100
  198. tomcat9 (9.0.14-1) unstable; urgency=medium
  199. * New upstream release
  200. - Refreshed the patches
  201. * Create the /var/log/tomcat9/ and /var/cache/tomcat9/ directories
  202. at install time (Closes: #915791)
  203. * Tightened the dependency on systemd
  204. -- Emmanuel Bourg <ebourg@apache.org> Wed, 12 Dec 2018 13:45:52 +0100
  205. tomcat9 (9.0.13-2) unstable; urgency=medium
  206. * Install the tomcat-embed-* artifacts with the 9.x version (Closes: #915578)
  207. * Modified the dependencies required for creating the tomcat user
  208. (adduser is replaced by systemd) (Closes: #915586)
  209. * Fixed the tomcat-jasper pom to reference the ECJ dependency
  210. from libeclipse-jdt-core-java
  211. * Removed the redundant ReadWritePaths options in the service file for the log
  212. and cache directories (Thanks to Lennart Poettering for the suggestion)
  213. -- Emmanuel Bourg <ebourg@apache.org> Wed, 05 Dec 2018 10:04:52 +0100
  214. tomcat9 (9.0.13-1) unstable; urgency=medium
  215. * New upstream release
  216. - Refreshed the patches
  217. - Renamed the package to tomcat9
  218. - Removed the libservlet3.1-java package. From now on the Servlet API
  219. is packaged in a separate package independent from Tomcat.
  220. - Depend on libeclipse-jdt-core-java (>= 3.14.0) instead of libecj-java
  221. - Updated the policy files in /etc/tomcat8/policy.d/
  222. - Use the OSGi metadata generated by the upstream build
  223. - Deploy the Tomcat artifacts in the Maven repository with the 9.x version
  224. - Updated the README file
  225. * Removed the SysV init script
  226. * Restart the server automatically on failures
  227. * Use a fixed non-configurable user 'tomcat' to run the server
  228. * Removed the debconf integration. The user being now unmodifiable,
  229. the remaining configuration parameter JAVA_OPTS can be edited in
  230. /etc/default/tomcat9
  231. * No longer add the 'common', 'server' and 'shared' directories under
  232. CATALINA_HOME and CATALINA_BASE to the classpath. Extra jar files should go
  233. to the 'lib' directory.
  234. * Let Tomcat handle the rotation of its log files with the maxDays parameter
  235. of the valves and log handlers instead of relying on a cron job
  236. * Renamed the TOMCAT_SECURITY parameter to SECURITY_MANAGER in the service
  237. configuration file
  238. * Simplified the postinst script by using systemd-sysusers to create
  239. the 'tomcat' user
  240. * No longer create the /etc/tomcat9/Catalina/localhost directory at install
  241. time and let Tomcat create it automatically
  242. * Let systemd automatically create /var/log/tomcat9 and /var/cache/tomcat9
  243. * Prevent Tomcat from writing outside of /var/log/tomcat9, /var/cache/tomcat9,
  244. /var/lib/tomcat9/webapps and /etc/tomcat9/Catalina by default. This can be
  245. overridden (see the README file).
  246. * Build and install the extra jar catalina-ws.jar
  247. * No longer recommend libcommons-pool-java and libcommons-dbcp-java since
  248. Tomcat already embeds its own version of these libraries
  249. * Support three-way merge when upgrading the configuration files
  250. * Use the G1 garbage collector by default instead of Concurrent Mark Sweep
  251. * The setenv.sh script in tomcat9-user and the service startup script now
  252. share the same JDK detection logic
  253. -- Emmanuel Bourg <ebourg@apache.org> Wed, 28 Nov 2018 15:06:00 +0100
  254. tomcat8 (8.5.35-3) UNRELEASED; urgency=medium
  255. * Team upload.
  256. * Updated the version required for libtcnative-1 (>= 1.2.18)
  257. * Install the Russian translation added in Tomcat 8.5.33
  258. -- Emmanuel Bourg <ebourg@apache.org> Tue, 20 Nov 2018 14:38:01 +0100
  259. tomcat8 (8.5.35-2) unstable; urgency=medium
  260. * Team upload.
  261. * Fixed the build failure with Easymock 4 (Closes: #913402)
  262. -- Emmanuel Bourg <ebourg@apache.org> Mon, 12 Nov 2018 10:52:08 +0100
  263. tomcat8 (8.5.35-1) unstable; urgency=medium
  264. * Team upload.
  265. [ Thomas Opfer ]
  266. * Removed old version requirement for package ant-optional that is not
  267. required any more.
  268. [ Emmanuel Bourg ]
  269. * New upstream release
  270. - Refreshed the patches
  271. -- Emmanuel Bourg <ebourg@apache.org> Thu, 08 Nov 2018 23:40:00 +0100
  272. tomcat8 (8.5.34-1) unstable; urgency=medium
  273. * Team upload.
  274. * New upstream release
  275. - Refreshed the patches
  276. -- Emmanuel Bourg <ebourg@apache.org> Mon, 10 Sep 2018 14:31:03 +0200
  277. tomcat8 (8.5.33-1) unstable; urgency=medium
  278. * Team upload.
  279. * New upstream version 8.5.33.
  280. - Tomcat compiles to Java 7 bytecode and passes release=7 to javac now.
  281. This ensures backwards compatibility with older JREs. (Closes: #906447)
  282. * Declare compliance with Debian Policy 4.2.1.
  283. * Refresh 0025-invalid-configuration-exit-status.patch.
  284. -- Markus Koschany <apo@debian.org> Mon, 27 Aug 2018 13:41:16 +0200
  285. tomcat8 (8.5.32-2) unstable; urgency=medium
  286. * Team upload.
  287. * Added a systemd service file (Closes: #832151, #817909)
  288. * Look for the Java runtime in the paths used by java-package >= 0.61
  289. (/usr/lib/jvm/oracle-java<n>-{jre,jdk}-*) (Closes: #894318)
  290. * Install catalina.policy in the tomcat8-user package to be able to run
  291. custom instances with a security manager (Closes: #736321)
  292. * Disabled the shutdown port (8005) by default
  293. * Updated the policy files in /etc/tomcat8/policy.d/
  294. * Added the missing Maven rules to use the 8.x generic version for
  295. tomcat-jaspic-api, tomcat-storeconfig and tomcat-util-scan
  296. * Set the gecos field when creating the tomcat8 user
  297. * No longer set JSSE_HOME in the init script (JSSE is enabled by default)
  298. * Standards-Version updated to 4.2.0
  299. -- Emmanuel Bourg <ebourg@apache.org> Thu, 09 Aug 2018 17:53:44 +0200
  300. tomcat8 (8.5.32-1) unstable; urgency=medium
  301. * Team upload.
  302. * New upstream release
  303. - Refreshed the patches
  304. -- Emmanuel Bourg <ebourg@apache.org> Mon, 25 Jun 2018 14:51:50 +0200
  305. tomcat8 (8.5.31-1) unstable; urgency=medium
  306. * Team upload.
  307. * New upstream release
  308. * Build with ant/1.10.3-2 and the automatic 'release' attribute restoring
  309. the backward compatibility with Java 7 (Closes: #895866)
  310. * Search for Java 10 and 11 runtimes
  311. * Don't follow the symlinks when setting the owner of the /var/log/tomcat8
  312. and /var/cache/tomcat8 directories in the postinst script
  313. * Use salsa.debian.org Vcs-* URLs
  314. -- Emmanuel Bourg <ebourg@apache.org> Thu, 14 Jun 2018 13:32:46 +0200
  315. tomcat8 (8.5.30-1) unstable; urgency=medium
  316. * Team upload.
  317. * New upstream release
  318. - Refreshed the patches
  319. * Standards-Version updated to 4.1.4
  320. -- Emmanuel Bourg <ebourg@apache.org> Thu, 12 Apr 2018 09:49:28 +0200
  321. tomcat8 (8.5.29-1) unstable; urgency=medium
  322. * Team upload.
  323. * New upstream release
  324. - Refreshed the patches
  325. -- Emmanuel Bourg <ebourg@apache.org> Mon, 12 Mar 2018 16:43:57 +0100
  326. tomcat8 (8.5.28-1) unstable; urgency=medium
  327. * New upstream release
  328. - Refreshed the patches
  329. - Disabled the tests checking the ARIA cipher since it isn't enabled
  330. by default in OpenSSL
  331. * Standards-Version updated to 4.1.3
  332. * Switch to debhelper level 11
  333. * Use a secure URL for checking and downloading the new releases
  334. * No longer parse dpkg-parsechangelog in debian/rules
  335. -- Emmanuel Bourg <ebourg@apache.org> Fri, 16 Feb 2018 13:43:01 +0100
  336. tomcat8 (8.5.24-2) unstable; urgency=medium
  337. * Team upload.
  338. * Removed the setDefaultAsyncSendTimeout method mistakenly added to
  339. javax.websocket.WebSocketContainer in the version 8.5.24 (Closes: #884046)
  340. -- Emmanuel Bourg <ebourg@apache.org> Thu, 14 Dec 2017 12:35:33 +0100
  341. tomcat8 (8.5.24-1) unstable; urgency=medium
  342. * Team upload.
  343. * New upstream release
  344. - Refreshed the patches
  345. * Standards-Version updated to 4.1.2
  346. -- Emmanuel Bourg <ebourg@apache.org> Fri, 01 Dec 2017 09:20:18 +0100
  347. tomcat8 (8.5.23-1) unstable; urgency=medium
  348. * Team upload.
  349. * New upstream release
  350. * Standards-Version updated to 4.1.1
  351. -- Emmanuel Bourg <ebourg@apache.org> Fri, 13 Oct 2017 00:01:48 +0200
  352. tomcat8 (8.5.21-1) unstable; urgency=medium
  353. * Team upload.
  354. [ Emmanuel Bourg ]
  355. * New upstream release
  356. - Refreshed the patches
  357. - Disabled Checkstyle
  358. * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
  359. the specification jars from libtomcat8-java instead of libservlet3.1-java
  360. (Closes: #867247)
  361. [ Miguel Landaeta ]
  362. * Remove myself from uploaders. (Closes: #871892)
  363. * Update copyright info.
  364. -- Emmanuel Bourg <ebourg@apache.org> Wed, 20 Sep 2017 10:06:56 +0200
  365. tomcat8 (8.5.16-1) unstable; urgency=medium
  366. * Team upload.
  367. * New upstream release
  368. - Refreshed the patches
  369. * Standards-Version updated to 4.0.0
  370. -- Emmanuel Bourg <ebourg@apache.org> Mon, 26 Jun 2017 16:03:53 +0200
  371. tomcat8 (8.5.15-1) unstable; urgency=medium
  372. * Team upload.
  373. * New upstream release
  374. - Refreshed the patches
  375. -- Emmanuel Bourg <ebourg@apache.org> Wed, 21 Jun 2017 13:00:44 +0200
  376. tomcat8 (8.5.14-2) unstable; urgency=high
  377. * Team upload.
  378. * Fixed CVE-2017-5664: Static error pages can be overwritten if the
  379. DefaultServlet is configured to permit writes (Closes: #864447)
  380. -- Emmanuel Bourg <ebourg@apache.org> Thu, 08 Jun 2017 12:28:34 +0200
  381. tomcat8 (8.5.14-1) unstable; urgency=medium
  382. * Team upload.
  383. * New upstream release
  384. - Removed the CVE patches (fixed in this release)
  385. -- Emmanuel Bourg <ebourg@apache.org> Mon, 08 May 2017 00:17:52 +0200
  386. tomcat8 (8.5.12-1) unstable; urgency=medium
  387. * Team upload.
  388. * New upstream release
  389. - Refreshed the patches
  390. -- Emmanuel Bourg <ebourg@apache.org> Tue, 18 Apr 2017 09:53:23 +0200
  391. tomcat8 (8.5.11-2) unstable; urgency=medium
  392. * Team upload.
  393. * Fix the following security vulnerabilities (Closes: #860068):
  394. Thanks to Salvatore Bonaccorso for the report.
  395. - CVE-2017-5647:
  396. A bug in the handling of the pipelined requests when send file was used
  397. resulted in the pipelined request being lost when send file processing of
  398. the previous request completed. This could result in responses appearing
  399. to be sent for the wrong request. For example, a user agent that sent
  400. requests A, B and C could see the correct response for request A, the
  401. response for request C for request B and no response for request C.
  402. - CVE-2017-5648:
  403. It was noticed that some calls to application listeners did not use the
  404. appropriate facade object. When running an untrusted application under a
  405. SecurityManager, it was therefore possible for that untrusted application
  406. to retain a reference to the request or response object and thereby access
  407. and/or modify information associated with another web application.
  408. - CVE-2017-5650:
  409. The handling of an HTTP/2 GOAWAY frame for a connection did not close
  410. streams associated with that connection that were currently waiting for a
  411. WINDOW_UPDATE before allowing the application to write more data. These
  412. waiting streams each consumed a thread. A malicious client could therefore
  413. construct a series of HTTP/2 requests that would consume all available
  414. processing threads.
  415. - CVE-2017-5651:
  416. The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
  417. regression in the send file processing. If the send file processing
  418. completed quickly, it was possible for the Processor to be added to the
  419. processor cache twice. This could result in the same Processor being used
  420. for multiple requests which in turn could lead to unexpected errors and/or
  421. response mix-up.
  422. * debian/control: tomcat8: Fix Lintian error and depend on lsb-base.
  423. -- Markus Koschany <apo@debian.org> Wed, 12 Apr 2017 09:58:46 +0200
  424. tomcat8 (8.5.11-1) unstable; urgency=medium
  425. * Team upload.
  426. * New upstream release
  427. - Refreshed the patches
  428. * Recommend Java 8 in /etc/default/tomcat8
  429. -- Emmanuel Bourg <ebourg@apache.org> Tue, 17 Jan 2017 15:09:30 +0100
  430. tomcat8 (8.5.9-2) unstable; urgency=medium
  431. * Team upload.
  432. * Require Java 8 or higher (Closes: #848612)
  433. -- Emmanuel Bourg <ebourg@apache.org> Mon, 19 Dec 2016 15:35:19 +0100
  434. tomcat8 (8.5.9-1) unstable; urgency=medium
  435. * Team upload.
  436. * New upstream release
  437. - Refreshed the patches
  438. * Restored the classloading from the common, server and shared directories
  439. under CATALINA_BASE (Closes: #847137)
  440. * Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
  441. contains the '%' character (Closes: #770911)
  442. -- Emmanuel Bourg <ebourg@apache.org> Thu, 08 Dec 2016 22:26:36 +0100
  443. tomcat8 (8.5.8-2) unstable; urgency=medium
  444. * Team upload.
  445. * Upload to unstable.
  446. * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
  447. in the postinst script (Closes: #845393)
  448. * The tomcat8 user is no longer removed when the package is purged
  449. (Closes: #845385)
  450. * Compress and remove the access log files with a .txt extension
  451. (Closes: #845661)
  452. * Added the delaycompress option to the logrotate configuration
  453. of catalina.out (Closes: #843135)
  454. * Changed the home directory for the tomcat8 user from /usr/share/tomcat8
  455. to /var/lib/tomcat8 (Closes: #833261)
  456. * Aligned the logging configuration with the upstream one
  457. * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
  458. * Install the new library jaspic-api.jar
  459. * Install the Maven artifacts for tomcat-storeconfig
  460. * Simplified debian/rules
  461. -- Emmanuel Bourg <ebourg@apache.org> Thu, 01 Dec 2016 18:41:14 +0100
  462. tomcat8 (8.5.8-1) experimental; urgency=medium
  463. * Team upload.
  464. * New upstream release
  465. - Refreshed the patches
  466. - Tomcat no longer builds tomcat-embed-logging-juli.jar
  467. - Updated the policy files
  468. - Added a NEWS file detailing the major changes in Tomcat 8.5.x
  469. * Enabled the APR library loading by default (required for HTTP/2 support)
  470. * Promoted libtcnative-1 from suggested to recommended dependency
  471. * Enabled the APR tests
  472. * Fixed the test failure with TestStandardContextAliases
  473. * Added a link to the Tomcat 8.5 migration guide in README.Debian
  474. * Adapted debian/orig-tar.sh to download the 8.5.x releases
  475. -- Emmanuel Bourg <ebourg@apache.org> Thu, 17 Nov 2016 23:54:35 +0100
  476. tomcat8 (8.0.39-1) unstable; urgency=medium
  477. * Team upload.
  478. * New upstream release
  479. - Refreshed the patches
  480. -- Emmanuel Bourg <ebourg@apache.org> Tue, 15 Nov 2016 15:37:48 +0100
  481. tomcat8 (8.0.38-2) unstable; urgency=high
  482. * Team upload.
  483. * CVE-2016-1240 follow-up:
  484. - The previous init.d fix was vulnerable to a race condition that could
  485. be exploited to make any existing file writable by the tomcat user.
  486. Thanks to Paul Szabo for the report and the fix.
  487. - The catalina.policy file generated on startup was affected by a similar
  488. vulnerability that could be exploited to overwrite any file on the system.
  489. Thanks to Paul Szabo for the report.
  490. * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
  491. * Added the new libtomcat8-embed-java package containing the libraries
  492. for embedding Tomcat into other applications.
  493. * Switch to debhelper level 10
  494. -- Emmanuel Bourg <ebourg@apache.org> Fri, 28 Oct 2016 01:17:23 +0200
  495. tomcat8 (8.0.38-1) unstable; urgency=medium
  496. * Team upload.
  497. * New upstream release
  498. - Refreshed the patches
  499. * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
  500. * Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar
  501. * Depend on libcglib-nodep-java instead of libcglib3-java
  502. * Removed the unused Lintian overrides
  503. -- Emmanuel Bourg <ebourg@apache.org> Wed, 19 Oct 2016 11:01:03 +0200
  504. tomcat8 (8.0.37-1) unstable; urgency=medium
  505. * Team upload.
  506. * New upstream release
  507. * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)
  508. -- Emmanuel Bourg <ebourg@apache.org> Mon, 19 Sep 2016 09:37:33 +0200
  509. tomcat8 (8.0.36-3) unstable; urgency=high
  510. * Team upload.
  511. * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
  512. attackers who have gained access to the server in the context of the
  513. tomcat user through a vulnerability in a web application to replace
  514. the catalina.out file with a symlink to an arbitrary file on the system,
  515. potentially leading to a root privilege escalation.
  516. Thanks to Dawid Golunski for the report.
  517. * Removed the default 128M heap limit (LP: #568823)
  518. * Depend on taglibs-standard instead of jakarta-taglibs-standard
  519. -- Emmanuel Bourg <ebourg@apache.org> Wed, 14 Sep 2016 10:20:28 +0200
  520. tomcat8 (8.0.36-2) unstable; urgency=medium
  521. * Team upload.
  522. * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
  523. (Closes: #825786)
  524. * Change file permissions to 640 for Debian files in /etc/tomcat8.
  525. -- Markus Koschany <apo@debian.org> Tue, 02 Aug 2016 10:50:42 +0200
  526. tomcat8 (8.0.36-1) unstable; urgency=medium
  527. * Team upload.
  528. * New upstream release
  529. - Refreshed the patches
  530. - Depend on libecj-java (>= 3.11.0)
  531. * Standards-Version updated to 3.9.8 (no changes)
  532. * Use a secure Vcs-Git URL
  533. -- Emmanuel Bourg <ebourg@apache.org> Tue, 14 Jun 2016 14:34:46 +0200
  534. tomcat8 (8.0.32-1) unstable; urgency=medium
  535. * Team upload.
  536. * New upstream release
  537. * Fixed a warning in catalina.out caused by an incorrect path
  538. for the root context (Closes: #808378)
  539. * Standards-Version updated to 3.9.7 (no changes)
  540. -- Emmanuel Bourg <ebourg@apache.org> Mon, 21 Dec 2015 11:20:10 +0100
  541. tomcat8 (8.0.30-1) unstable; urgency=medium
  542. * Team upload.
  543. * New upstream release
  544. - Refreshed the patches
  545. * Use LC_ALL instead of LANG to format the date and make the documentation
  546. reproducible on the builders
  547. -- Emmanuel Bourg <ebourg@apache.org> Fri, 18 Dec 2015 11:44:06 +0100
  548. tomcat8 (8.0.28-1) unstable; urgency=medium
  549. * Team upload.
  550. * New upstream release
  551. - Refreshed the patches
  552. * Fixed a localized date in the documentation to improve the reproducibility
  553. -- Emmanuel Bourg <ebourg@apache.org> Mon, 19 Oct 2015 11:12:07 +0200
  554. tomcat8 (8.0.26-1) unstable; urgency=medium
  555. * Team upload.
  556. * New upstream release
  557. - Refreshed the patches
  558. * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  559. * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
  560. (LP: #1010791)
  561. * Fixed a minor HTML error in the default index.html file (LP: #1236132)
  562. -- Emmanuel Bourg <ebourg@apache.org> Mon, 24 Aug 2015 00:30:40 +0200
  563. tomcat8 (8.0.24-1) unstable; urgency=medium
  564. * Team upload.
  565. * New upstream release
  566. - Refreshed the patches
  567. * debian/rules: Use an english locale when generating the documentation
  568. to improve the reproducibility
  569. -- Emmanuel Bourg <ebourg@apache.org> Wed, 08 Jul 2015 17:42:14 +0200
  570. tomcat8 (8.0.23-1) unstable; urgency=medium
  571. * New upstream release
  572. * debian/rules: Set the 'year' and 'today-iso-8601' build variables
  573. to improve the reproducibility
  574. -- Emmanuel Bourg <ebourg@apache.org> Tue, 26 May 2015 16:04:01 +0200
  575. tomcat8 (8.0.22-2) unstable; urgency=medium
  576. * Replaced the date in ServerInfo.properties with the latest date
  577. in debian/changelog to make the build reproducible
  578. * debian/rules:
  579. - Modified to use the dh sequencer
  580. - Simplified the ant invocation and moved some properties
  581. to debian/ant.properties
  582. - Do not set the version.* properties already defined
  583. in build.properties.default
  584. - Renamed T_VER to VERSION
  585. - Removed the RWFILES and RWLOC variables
  586. - Merged the ANT_ARGS and ANT_INVOKE variables
  587. - No longer remove the long gone .svn directories under
  588. /usr/share/tomcat8/webapps/default_root
  589. - Let dh_fixperms set the permissions instead of calling chmod +x
  590. - Use debian/tomcat8-user.manpages instead of calling dh_installman
  591. - Updated the copyright year in the Javadoc
  592. - Simplified the call to mh_install
  593. -- Emmanuel Bourg <ebourg@apache.org> Thu, 07 May 2015 14:13:30 +0200
  594. tomcat8 (8.0.22-1) unstable; urgency=medium
  595. * New upstream release
  596. - Refreshed the patches
  597. - No longer install tomcat-spdy.jar (removed upstream)
  598. * Removed the timestamp from the Javadoc of the Servlet API
  599. to make the build reproducible
  600. -- Emmanuel Bourg <ebourg@apache.org> Wed, 06 May 2015 09:30:38 +0200
  601. tomcat8 (8.0.21-2) unstable; urgency=medium
  602. * Upload to unstable.
  603. -- Miguel Landaeta <nomadium@debian.org> Fri, 01 May 2015 12:41:13 -0300
  604. tomcat8 (8.0.21-1) experimental; urgency=medium
  605. * New upstream release
  606. - Refreshed the patches
  607. * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
  608. from the upstream tarball
  609. * Support the JVMs installed by the older versions of java-package (<< 0.52)
  610. and the oracle-java<n>-installer packages from webupd8 (Closes: #769166)
  611. -- Emmanuel Bourg <ebourg@apache.org> Mon, 30 Mar 2015 19:40:22 +0200
  612. tomcat8 (8.0.18-1) experimental; urgency=medium
  613. * New upstream release
  614. - Refreshed the patches
  615. -- Emmanuel Bourg <ebourg@apache.org> Tue, 27 Jan 2015 22:54:00 +0100
  616. tomcat8 (8.0.17-1) experimental; urgency=medium
  617. * New upstream release
  618. - Refreshed the patches
  619. -- Emmanuel Bourg <ebourg@apache.org> Mon, 19 Jan 2015 09:58:16 +0100
  620. tomcat8 (8.0.15-1) experimental; urgency=medium
  621. * New upstream release
  622. - Refreshed the patches
  623. -- Emmanuel Bourg <ebourg@apache.org> Mon, 08 Dec 2014 23:59:10 +0100
  624. tomcat8 (8.0.14-1) unstable; urgency=medium
  625. * New upstream release
  626. - Refreshed the patches
  627. * Build depend on libcglib3-java instead of libcglib-java
  628. * Standards-Version updated to 3.9.6 (no changes)
  629. -- Emmanuel Bourg <ebourg@apache.org> Mon, 29 Sep 2014 13:23:43 +0200
  630. tomcat8 (8.0.12-1) unstable; urgency=medium
  631. * New upstream release
  632. - Refreshed the patches
  633. * Fixed the tomcat8-examples configuration (Closes: #753372)
  634. * No longer create the common/server/shared directories under
  635. /var/lib/tomcat8, and use a unique lib directory as documented
  636. upstream since Tomcat 6. The old directories are still supported
  637. if inherited from a previous installation (Closes: #754386)
  638. * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs
  639. * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as
  640. the default JDBC pool implementation instead of Commons DBCP.
  641. * Removed the obsolete patch 0012-java7-compat.patch
  642. * Tightened the build dependency on junit4 (>= 4.11)
  643. * Build the Javadoc with the JDK specified by the JAVA_HOME variable
  644. instead of the default JDK (this fixes a build failure when backporting
  645. to Wheezy)
  646. * Removed the note about the authbind IPv6 incompatibility
  647. in /etc/defaults/tomcat8
  648. -- Emmanuel Bourg <ebourg@apache.org> Wed, 17 Sep 2014 16:23:52 +0200
  649. tomcat8 (8.0.9-1) unstable; urgency=medium
  650. [ Emmanuel Bourg ]
  651. * New upstream release
  652. - Refreshed the patches
  653. * Search for OpenJDK 8 and Oracle JDKs when starting the server
  654. * Removed the dependency on the non existent java-7-runtime package
  655. * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian
  656. * Updated the version required for libtcnative-1 (>= 1.1.30)
  657. [ tony mancill ]
  658. * Update README.Debian with information about migration guides.
  659. -- Emmanuel Bourg <ebourg@apache.org> Tue, 24 Jun 2014 21:28:37 +0200
  660. tomcat8 (8.0.8-1) unstable; urgency=medium
  661. * New upstream release
  662. - Refreshed the patches
  663. -- Emmanuel Bourg <ebourg@apache.org> Thu, 22 May 2014 13:01:55 +0200
  664. tomcat8 (8.0.5-1) unstable; urgency=medium
  665. * New upstream release
  666. - Refreshed the patches
  667. - Disabled Java 8 support in JSPs (requires an Eclipse compiler update)
  668. * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338)
  669. * Update email addresses of maintainers.
  670. -- Emmanuel Bourg <ebourg@apache.org> Tue, 29 Apr 2014 10:22:45 +0200
  671. tomcat8 (8.0.3-1) unstable; urgency=medium
  672. [ Emmanuel Bourg ]
  673. * Team upload.
  674. * New upstream release (Closes: #722675)
  675. - Updated the version of the Servlet, JSP and EL APIs
  676. - Switched to Java 7
  677. - Updated the watch file to match the Tomcat 8 releases
  678. - Refreshed the patches
  679. - Updated debian/copyright, documented the xsd files licensed under the CDDL
  680. - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig)
  681. - Updated the artifactId of the specification jars to include
  682. the new javax prefix
  683. - Added the javax.websocket-api artifact to libservlet3.1-java
  684. - New build dependency on cglib, easymock and objenesis
  685. * Added a patch to include the name of the distribution on the error pages
  686. * Use XZ compression for the upstream tarball
  687. * debian/control:
  688. - Replaced Sun Microsystems with Oracle in the packages descriptions
  689. - Mentioned 'Apache Tomcat' in the packages descriptions
  690. - Standards-Version updated to 3.9.5 (no changes)
  691. * Deploy the Tomcat artifacts in the Maven repository with the 8.x version
  692. instead of 'debian' to avoid conflicts with other versions of Tomcat.
  693. * Hard coded the versions in the poms in debian/javaxpoms to fix the version
  694. of the dependencies for jsp-api
  695. * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts
  696. with other versions of Tomcat
  697. * Added the missing descriptions to the patches
  698. * Added a patch to ignore the failing tests
  699. * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java
  700. to libtomcat8-java and changed their versions to the Tomcat version instead
  701. of the specification version.
  702. * Removed libservlet3.1-java.links defining the tomcat-* links
  703. in /usr/share/java with the specifications versions
  704. * The symlinks to /usr/share/tomcat8/lib are no longer split between the two
  705. packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all
  706. the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java
  707. deploys only the jars in /usr/share/java and the Maven artifacts in
  708. /usr/share/maven-repo.
  709. * Added the EL and WebSocket APIs to libservlet3.1-java-doc
  710. * Added a Lintian override for the incompatible-java-bytecode-format warning
  711. since Tomcat requires Java 7
  712. * Added a Lintian override to clear the codeless-jar warnings
  713. on the tomcat-i18n jars instead of a patch turning them into zip files.
  714. * Removed 0011-fix-classpath-lintian-warnings.patch and specified
  715. the classpath of jasper.jar in libtomcat8-java.manifest instead.
  716. [ tony mancill ]
  717. * Include tomcat-util-scan.jar in the libtomcat8-java package.
  718. * Remove debian/NEWS (inapplicable to this release).
  719. * Prune debian/changelog to only contain tomcat8 entries.
  720. -- Emmanuel Bourg <ebourg@apache.org> Sat, 15 Mar 2014 23:23:14 +0100